Merge pull request #667 from CleanTalk/fix_vuln_weak_spot_av

AntonV1211 · web-flow · commit 15a212e843a8 · 2026-06-15T11:55:48.000+07:00
Fix. Scanner. Editing the data preparation in the table
diff --git a/inc/spbc-settings.php b/inc/spbc-settings.php
@@ -2124,10 +2124,12 @@ function spbc_field_scanner__prepare_data__files(&$table)
                     if ( ! empty($weak_spots['SIGNATURES']) && $signatures) {
                         foreach ($weak_spots['SIGNATURES'] as $_string => $weak_spot_in_string) {
                             foreach ($weak_spot_in_string as $weak_spot) {
-                                $ws_string .= '<span class="spbcRed"><i setting="signatures_' . $signatures[ $weak_spot ]->attack_type . '" class="spbc_long_description__show spbc-icon-help-circled"></i>' . $signatures[ $weak_spot ]->attack_type . ': </span>'
-                                             . (strlen($signatures[ $weak_spot ]->name) > 30
-                                        ? substr($signatures[ $weak_spot ]->name, 0, 30) . '...'
-                                        : $signatures[ $weak_spot ]->name);
+                                $attack_type = isset($signatures[ $weak_spot ]) ? $signatures[ $weak_spot ]->attack_type : '';
+                                $sig_name = isset($signatures[ $weak_spot ]) ? $signatures[ $weak_spot ]->name : '';
+                                $ws_string .= '<span class="spbcRed"><i setting="signatures_' . esc_attr($attack_type) . '" class="spbc_long_description__show spbc-icon-help-circled"></i>' . esc_html($attack_type) . ': </span>'
+                                             . (strlen($sig_name) > 30
+                                        ? esc_html(substr($sig_name, 0, 30)) . '...'
+                                        : esc_html($sig_name));
                             }
                         }
                     }
@@ -2139,10 +2141,10 @@ function spbc_field_scanner__prepare_data__files(&$table)
                         }
                         $all_unique_weak_spots = array_unique($all_unique_weak_spots);
                         foreach ($all_unique_weak_spots as $weak_spot_in_string) {
-                            $ws_string .= '<p style="margin: 0;"><span class="spbcRed"><i setting="heuristic_' . str_replace(' ', '_', $weak_spot_in_string) . '" class="spbc_long_description__show spbc-icon-help-circled"></i> Heuristic: </span>'
+                            $ws_string .= '<p style="margin: 0;"><span class="spbcRed"><i setting="heuristic_' . esc_attr(str_replace(' ', '_', $weak_spot_in_string)) . '" class="spbc_long_description__show spbc-icon-help-circled"></i> Heuristic: </span>'
                                     . (strlen($weak_spot_in_string) > 30
-                                    ? substr($weak_spot_in_string, 0, 30) . '...'
-                                    : $weak_spot_in_string);
+                                    ? esc_html(substr($weak_spot_in_string, 0, 30)) . '...'
+                                    : esc_html($weak_spot_in_string));
                             $ws_string .= '</p>';
                         }
                     }
@@ -2154,10 +2156,10 @@ function spbc_field_scanner__prepare_data__files(&$table)
                         }
                         $all_unique_weak_spots = array_unique($all_unique_weak_spots);
                         foreach ($all_unique_weak_spots as $weak_spot_in_string) {
-                            $ws_string .= '<p style="margin: 0;"><span class="spbcRed"><i setting="suspicious_' . str_replace(' ', '_', $weak_spot_in_string) . '" class="spbc_long_description__show spbc-icon-help-circled"></i> Suspicious: </span>'
+                            $ws_string .= '<p style="margin: 0;"><span class="spbcRed"><i setting="suspicious_' . esc_attr(str_replace(' ', '_', $weak_spot_in_string)) . '" class="spbc_long_description__show spbc-icon-help-circled"></i> Suspicious: </span>'
                                 . (strlen($weak_spot_in_string) > 30
-                                ? substr($weak_spot_in_string, 0, 30) . '...'
-                                : $weak_spot_in_string);
+                                ? esc_html(substr($weak_spot_in_string, 0, 30)) . '...'
+                                : esc_html($weak_spot_in_string));
                             $ws_string .= '</p>';
                         }
                     }
@@ -2169,7 +2171,7 @@ function spbc_field_scanner__prepare_data__files(&$table)
                         }
                         $all_unique_weak_spots = array_unique($all_unique_weak_spots);
                         foreach ($all_unique_weak_spots as $weak_spot_in_string) {
-                             $ws_string .= '<p style="margin: 0;"><span class="spbcRed"><i setting="hash_' . str_replace(' ', '_', $weak_spot_in_string) . '" class="spbc_long_description__show spbc-icon-help-circled"></i> Hash: </span>'
+                             $ws_string .= '<p style="margin: 0;"><span class="spbcRed"><i setting="hash_' . esc_attr(str_replace(' ', '_', $weak_spot_in_string)) . '" class="spbc_long_description__show spbc-icon-help-circled"></i> Hash: </span>'
                                 . 'denied';
 
                             $ws_string .= '</p>';
@@ -2205,7 +2207,7 @@ function spbc_field_scanner__prepare_data__files(&$table)
                     $errors = json_decode($row->error_msg, true);
                     if (!empty($errors)) {
                         foreach ($errors as $_key => $_val) {
-                            $parsed_item_error .= '<p>' . $_key . ': ' . $_val . '</p>';
+                            $parsed_item_error .= '<p>' . esc_html($_key) . ': ' . esc_html($_val) . '</p>';
                         }
                     } else {
                         $parsed_item_error = 'Unknown error';
@@ -2272,12 +2274,12 @@ function spbc_field_scanner__prepare_data__analysis_log(&$table)
                     }
                     break;
                 default:
-                    $pscan_status = $row->pscan_processing_status;
+                    $pscan_status = esc_html($row->pscan_processing_status);
                     $analysis_comment = 'Not scanned by Cloud or CleanTalk team.';
             }
 
             if ( isset($row->status) && $row->status === 'QUARANTINED' ) {
-                $pscan_status = $row->pscan_status;
+                $pscan_status = esc_html($row->pscan_status);
                 $analysis_comment = __('Quarantined by user', 'security-malware-firewall');
             }
 

Original file line number	Diff line number	Diff line change
`@@ -2124,10 +2124,12 @@ function spbc_field_scanner__prepare_data__files(&$table)`
`2124`	`2124`	`if ( ! empty($weak_spots['SIGNATURES']) && $signatures) {`
`2125`	`2125`	`foreach ($weak_spots['SIGNATURES'] as $_string => $weak_spot_in_string) {`
`2126`	`2126`	`foreach ($weak_spot_in_string as $weak_spot) {`
`2127`		`- $ws_string .= '<span class="spbcRed"><i setting="signatures_' . $signatures[ $weak_spot ]->attack_type . '" class="spbc_long_description__show spbc-icon-help-circled"></i>' . $signatures[ $weak_spot ]->attack_type . ': </span>'`
`2128`		`- . (strlen($signatures[ $weak_spot ]->name) > 30`
`2129`		`- ? substr($signatures[ $weak_spot ]->name, 0, 30) . '...'`
`2130`		`- : $signatures[ $weak_spot ]->name);`
	`2127`	`+ $attack_type = isset($signatures[ $weak_spot ]) ? $signatures[ $weak_spot ]->attack_type : '';`
	`2128`	`+ $sig_name = isset($signatures[ $weak_spot ]) ? $signatures[ $weak_spot ]->name : '';`
	`2129`	`+ $ws_string .= '<span class="spbcRed"><i setting="signatures_' . esc_attr($attack_type) . '" class="spbc_long_description__show spbc-icon-help-circled"></i>' . esc_html($attack_type) . ': </span>'`
	`2130`	`+ . (strlen($sig_name) > 30`
	`2131`	`+ ? esc_html(substr($sig_name, 0, 30)) . '...'`
	`2132`	`+ : esc_html($sig_name));`
`2131`	`2133`	`}`
`2132`	`2134`	`}`
`2133`	`2135`	`}`
`@@ -2139,10 +2141,10 @@ function spbc_field_scanner__prepare_data__files(&$table)`
`2139`	`2141`	`}`
`2140`	`2142`	`$all_unique_weak_spots = array_unique($all_unique_weak_spots);`
`2141`	`2143`	`foreach ($all_unique_weak_spots as $weak_spot_in_string) {`
`2142`		`- $ws_string .= '<p style="margin: 0;"><span class="spbcRed"><i setting="heuristic_' . str_replace(' ', '_', $weak_spot_in_string) . '" class="spbc_long_description__show spbc-icon-help-circled"></i> Heuristic: </span>'`
	`2144`	`+ $ws_string .= '<p style="margin: 0;"><span class="spbcRed"><i setting="heuristic_' . esc_attr(str_replace(' ', '_', $weak_spot_in_string)) . '" class="spbc_long_description__show spbc-icon-help-circled"></i> Heuristic: </span>'`
`2143`	`2145`	`. (strlen($weak_spot_in_string) > 30`
`2144`		`- ? substr($weak_spot_in_string, 0, 30) . '...'`
`2145`		`- : $weak_spot_in_string);`
	`2146`	`+ ? esc_html(substr($weak_spot_in_string, 0, 30)) . '...'`
	`2147`	`+ : esc_html($weak_spot_in_string));`
`2146`	`2148`	`$ws_string .= '</p>';`
`2147`	`2149`	`}`
`2148`	`2150`	`}`
`@@ -2154,10 +2156,10 @@ function spbc_field_scanner__prepare_data__files(&$table)`
`2154`	`2156`	`}`
`2155`	`2157`	`$all_unique_weak_spots = array_unique($all_unique_weak_spots);`
`2156`	`2158`	`foreach ($all_unique_weak_spots as $weak_spot_in_string) {`
`2157`		`- $ws_string .= '<p style="margin: 0;"><span class="spbcRed"><i setting="suspicious_' . str_replace(' ', '_', $weak_spot_in_string) . '" class="spbc_long_description__show spbc-icon-help-circled"></i> Suspicious: </span>'`
	`2159`	`+ $ws_string .= '<p style="margin: 0;"><span class="spbcRed"><i setting="suspicious_' . esc_attr(str_replace(' ', '_', $weak_spot_in_string)) . '" class="spbc_long_description__show spbc-icon-help-circled"></i> Suspicious: </span>'`
`2158`	`2160`	`. (strlen($weak_spot_in_string) > 30`
`2159`		`- ? substr($weak_spot_in_string, 0, 30) . '...'`
`2160`		`- : $weak_spot_in_string);`
	`2161`	`+ ? esc_html(substr($weak_spot_in_string, 0, 30)) . '...'`
	`2162`	`+ : esc_html($weak_spot_in_string));`
`2161`	`2163`	`$ws_string .= '</p>';`
`2162`	`2164`	`}`
`2163`	`2165`	`}`
`@@ -2169,7 +2171,7 @@ function spbc_field_scanner__prepare_data__files(&$table)`
`2169`	`2171`	`}`
`2170`	`2172`	`$all_unique_weak_spots = array_unique($all_unique_weak_spots);`
`2171`	`2173`	`foreach ($all_unique_weak_spots as $weak_spot_in_string) {`
`2172`		`- $ws_string .= '<p style="margin: 0;"><span class="spbcRed"><i setting="hash_' . str_replace(' ', '_', $weak_spot_in_string) . '" class="spbc_long_description__show spbc-icon-help-circled"></i> Hash: </span>'`
	`2174`	`+ $ws_string .= '<p style="margin: 0;"><span class="spbcRed"><i setting="hash_' . esc_attr(str_replace(' ', '_', $weak_spot_in_string)) . '" class="spbc_long_description__show spbc-icon-help-circled"></i> Hash: </span>'`
`2173`	`2175`	`. 'denied';`
`2174`	`2176`
`2175`	`2177`	`$ws_string .= '</p>';`
`@@ -2205,7 +2207,7 @@ function spbc_field_scanner__prepare_data__files(&$table)`
`2205`	`2207`	`$errors = json_decode($row->error_msg, true);`
`2206`	`2208`	`if (!empty($errors)) {`
`2207`	`2209`	`foreach ($errors as $_key => $_val) {`
`2208`		`- $parsed_item_error .= '<p>' . $_key . ': ' . $_val . '</p>';`
	`2210`	`+ $parsed_item_error .= '<p>' . esc_html($_key) . ': ' . esc_html($_val) . '</p>';`
`2209`	`2211`	`}`
`2210`	`2212`	`} else {`
`2211`	`2213`	`$parsed_item_error = 'Unknown error';`
`@@ -2272,12 +2274,12 @@ function spbc_field_scanner__prepare_data__analysis_log(&$table)`
`2272`	`2274`	`}`
`2273`	`2275`	`break;`
`2274`	`2276`	`default:`
`2275`		`- $pscan_status = $row->pscan_processing_status;`
	`2277`	`+ $pscan_status = esc_html($row->pscan_processing_status);`
`2276`	`2278`	`$analysis_comment = 'Not scanned by Cloud or CleanTalk team.';`
`2277`	`2279`	`}`
`2278`	`2280`
`2279`	`2281`	`if ( isset($row->status) && $row->status === 'QUARANTINED' ) {`
`2280`		`- $pscan_status = $row->pscan_status;`
	`2282`	`+ $pscan_status = esc_html($row->pscan_status);`
`2281`	`2283`	`$analysis_comment = __('Quarantined by user', 'security-malware-firewall');`
`2282`	`2284`	`}`
`2283`	`2285`